5e1799dcf2c2b14bd7a9471ebdc2ce293a1104036bcce30fddc0be2198c7cc54

Analysis

max time kernel
155s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 10:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5e1799dcf2c2b14bd7a9471ebdc2ce293a1104036bcce30fddc0be2198c7cc54.exe
Size

994KB
MD5

a6e5b08eb7418c10b365b7a9dc3c7de3
SHA1

4ef29aa1be128173f3568eb3078c8ab34dda7458
SHA256

5e1799dcf2c2b14bd7a9471ebdc2ce293a1104036bcce30fddc0be2198c7cc54
SHA512

f0ffbe3b2a78f1a34cb0da2ea617d8b83f86348f71b827bbd41ba44e543f69ea8963ca72926b4eaf46c7d394e9623159140a702335159c705df7d51c1ceacc62
SSDEEP

1536:2fRN2/SWANOttpVxXVIXKL7mxUH1OibPoQT9lnouy8:EOAKnrq6Oxo1OcRJ9out

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-61432235"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-35348617"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-508284"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-98017196"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 2 IoCs

pid	Process
3612	winlogon.exe
288	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcciomon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndntspst.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hwpe.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jammer.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lookout.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srwatch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qconsole.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup_flowprotector_us.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monwow.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UCCLSID.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSREC.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpinst.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccshtdwn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleToolbarInstaller_download_signed.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkpop.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jed.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2-98.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieBITS.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanhnt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sharedaccess.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UI0Detect.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpcc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\flowprotector.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rapapp.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neomonitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tca.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jed.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navauto-protect.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfagent.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navauto-protect.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvc95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pathping.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icloadnt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\css1631.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scrscan.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmlisten.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieDcomLaunch.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidserver.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpfw30s.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autodown.exe	winlogon.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4760-134-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x0007000000022e20-136.dat	upx
behavioral2/files/0x0007000000022e20-137.dat	upx
behavioral2/memory/4760-140-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3612-141-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/288-143-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/files/0x0007000000022e20-144.dat	upx
behavioral2/memory/288-146-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/288-147-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/288-150-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3612-155-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/288-156-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	5e1799dcf2c2b14bd7a9471ebdc2ce293a1104036bcce30fddc0be2198c7cc54.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3434255584152474 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3434255584152474 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3612 set thread context of 288	3612	winlogon.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091332bf7892b5c4d85306be1e886577d000000000200000000001066000000010000200000008f62ac98340905eae9593f062ec42d5ad405d78a81a102f1cbbb136c743b0507000000000e8000000002000020000000b9f23121167c3cbeace645f22e9be4443a0b0b629813a016ee319971d8306d4e2000000055d0d48f41c022a14cbba1dbf67cb6d1426b00d41fd52b479f75883cf0091ba540000000c59d3ab7b6f2e02a5aa4a9688143d9839cbe15d6af1a1fcadd22e0e6bfd45cbd4f025c4af232b962d3d7da4f49a38b7a7d1754a263399121d25629c24092b5a3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091332bf7892b5c4d85306be1e886577d00000000020000000000106600000001000020000000337652f2a14704ada907d85293168a248dd009590ed0be7b4c21343d00f88335000000000e8000000002000020000000339f6bcd8bcb7483c3e387ab36fd58aa8e8c7343da54588ff7f003f67246d15b2000000094a99cd5b7101f56801af0edebe0fe23aa242e9763bd8d3c1890a7fde5cf6cb640000000e0d8a5e74968cb936d684adcf7460bf4ecf974dae6e8069ca7f94e2c2e670d99c47586903008a799da9acbdcb21b91e81332ea3560220dbc0432ad48fef1fbf7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://p3cy602074taaa4.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31001581"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://6r1l3f38jz70m0x.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3711185153"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 600373dced0bd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.hugedomains.com\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hugedomains.com\Total = "32"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://dc9xqw97p0jhy4c.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31001581"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://ke0dz47m019maq0.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://sw732p96ijrgysk.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{020A4385-77E1-11ED-89AC-DAE60F07E07D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3711185153"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20f924deed0bd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hugedomains.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "53"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\hugedomains.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://1ps3i5ihp9t5o09.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://9tucl1okb2j07m8.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hugedomains.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.hugedomains.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091332bf7892b5c4d85306be1e886577d0000000002000000000010660000000100002000000030bf08634b617f6373b298ccf9551704fcf5c958cb4103d41da0826f9afb7ca4000000000e8000000002000020000000bdc9e1fb6de955dc5d3d6e5f3a3811beaf1d33073bb0d0f6ed417792e2f73482200000004ba077fc8b1081918f60466d2698941afdb1eaf0386e4213378081d5d1bbec6d400000005f9b9acc8a8a1fb85e7a56236482d1736485947ca7e435000407e6f66d8728168372ab2879ff7e4aa2070c8d6d625e3797c398e09f8e3cf08cf74fbd641644ba	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60b0dcdeed0bd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://7f705z26po56ac8.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://7a1ltf7783lt9uz.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://ibd4f1lh6i2td8o.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe
288	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	288	winlogon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3240	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4760	5e1799dcf2c2b14bd7a9471ebdc2ce293a1104036bcce30fddc0be2198c7cc54.exe
3612	winlogon.exe
288	winlogon.exe
3240	iexplore.exe
3240	iexplore.exe
1224	IEXPLORE.EXE
1224	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3612	4760	5e1799dcf2c2b14bd7a9471ebdc2ce293a1104036bcce30fddc0be2198c7cc54.exe	82
PID 4760 wrote to memory of 3612	4760	5e1799dcf2c2b14bd7a9471ebdc2ce293a1104036bcce30fddc0be2198c7cc54.exe	82
PID 4760 wrote to memory of 3612	4760	5e1799dcf2c2b14bd7a9471ebdc2ce293a1104036bcce30fddc0be2198c7cc54.exe	82
PID 3612 wrote to memory of 288	3612	winlogon.exe	83
PID 3612 wrote to memory of 288	3612	winlogon.exe	83
PID 3612 wrote to memory of 288	3612	winlogon.exe	83
PID 3612 wrote to memory of 288	3612	winlogon.exe	83
PID 3612 wrote to memory of 288	3612	winlogon.exe	83
PID 3612 wrote to memory of 288	3612	winlogon.exe	83
PID 3612 wrote to memory of 288	3612	winlogon.exe	83
PID 3612 wrote to memory of 288	3612	winlogon.exe	83
PID 3240 wrote to memory of 1224	3240	iexplore.exe	86
PID 3240 wrote to memory of 1224	3240	iexplore.exe	86
PID 3240 wrote to memory of 1224	3240	iexplore.exe	86

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\5e1799dcf2c2b14bd7a9471ebdc2ce293a1104036bcce30fddc0be2198c7cc54.exe
"C:\Users\Admin\AppData\Local\Temp\5e1799dcf2c2b14bd7a9471ebdc2ce293a1104036bcce30fddc0be2198c7cc54.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\E696D64614\winlogon.exe
  "C:\Users\Admin\E696D64614\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Sets file execution options in registry
    - Windows security modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:288

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3240 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
2e8dab0111c5f3e9103cae92a9e1cdaa

SHA1
5d16362cf320faeacf5963532354e99e0dce3e2b

SHA256
858dfc9a9af2e0400a91bf3660acb1a123960c5ad53df61b7f73663035e01ba8

SHA512
ee28bf368690e56ada1fc8538330cc22cb57a59a1a5012e73d3e0300dc7410b82f8c2a300625560e69bc19344acc333b2138ec49ca5ddf5f24a54debce685abb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2119239CBE0D3DBEF6F19E0B10265873

Filesize
472B

MD5
0be73f837e6aeb740e5c608fb17237b5

SHA1
4dfd1104c0558f35d83b35ca08e4874052be4bc7

SHA256
9f57778d4b2af1df4ee9000e3be98a38927c78d4d61b8a70f7a6499c2842fa89

SHA512
1bd4cfb2889952a56d3b6c58f181343d491d18d10b645289746176d392426467a9e68f52a48315bb809cd917ac598489b0e2cad995fd689a1b8673376316313e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
2e02780939de763a8bb3e91dfbf21980

SHA1
47e818dcbc1d307b43654dfe3a03b9a7625d9ce4

SHA256
971abb405a443302f8c61627933bd0f46ed6953f5815e298974e6f7532908748

SHA512
51709ae31e885719d848f619c4b3e732b0765a5349484f7c4ca524072a6b0d75f33d3f6c015a0ed4fd188a43d5cc9e0d221d1d7cca5a31a044b73fcbcebbe5fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
0a9af7e2b2a82a43c67bbb531b44e07a

SHA1
982967e6c5b7e896a93ce75c237d651857d132c8

SHA256
167c017e8899b0d25c56db768c8ed19fd45496ccb9566ab81f3784fedab1ac48

SHA512
2496d870c39262baf044c95f9d26dbe9845fc6b3cc6234c753a9ae00c37d2e9d394b50775d92c0a05cc4a4953f5203f9eda8953624927ea765909cfa270da0a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2119239CBE0D3DBEF6F19E0B10265873

Filesize
476B

MD5
88a2f0245843e25fc5d6d2e138bb0929

SHA1
9a94cbfbe02e66a0d8b6df6e02a4e43649d661c5

SHA256
7b63484f6d6287d82c3c9cca527a618959e80187b213e25ec313e4c4bdbc95c7

SHA512
993f39bfd0975ee72823b76615b48fa7e5de64b731977f493078970fb3f2bb7ff1a064a2adccf97cf8583a7e1b8a722e4c65555ca8acdf48eb06399e45a959ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
4891017f53dd70b44d3a43e653a72273

SHA1
d015e3d38256c01cb5c97288eba35f6c8aabf774

SHA256
6e3d25f9595d166fb1ddf5b11a99442f06da0c428bdd56b7e106ee25a2b99bac

SHA512
07cc5b39c2265ffd362b98c59d76bdce29576aeba706e6d635dd8bc0a9081cd7f47d30eb6e77c6bb53bfdbd0111e4a9959aab1ba46936f99f25930c5fb1e986d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
887acea48b12fbdf63e6529c07fe0848

SHA1
6288567b88cdfc12eec9a8ea7af4ca3f6eb7e8e8

SHA256
f9e29afe981a5f0d25e1299357b57dc030d7f3cd903f33bfbf07cc0ff25343a6

SHA512
865cb417943976d81b8b7527b8cac5c7d845a8fbb92b0d2b8bf2e4a126e43a309c476cf8c8d697bf332927af8cf53ada80c707c5402890ca2b72551d3b354a2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
887acea48b12fbdf63e6529c07fe0848

SHA1
6288567b88cdfc12eec9a8ea7af4ca3f6eb7e8e8

SHA256
f9e29afe981a5f0d25e1299357b57dc030d7f3cd903f33bfbf07cc0ff25343a6

SHA512
865cb417943976d81b8b7527b8cac5c7d845a8fbb92b0d2b8bf2e4a126e43a309c476cf8c8d697bf332927af8cf53ada80c707c5402890ca2b72551d3b354a2e

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
994KB

MD5
a6e5b08eb7418c10b365b7a9dc3c7de3

SHA1
4ef29aa1be128173f3568eb3078c8ab34dda7458

SHA256
5e1799dcf2c2b14bd7a9471ebdc2ce293a1104036bcce30fddc0be2198c7cc54

SHA512
f0ffbe3b2a78f1a34cb0da2ea617d8b83f86348f71b827bbd41ba44e543f69ea8963ca72926b4eaf46c7d394e9623159140a702335159c705df7d51c1ceacc62

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
994KB

MD5
a6e5b08eb7418c10b365b7a9dc3c7de3

SHA1
4ef29aa1be128173f3568eb3078c8ab34dda7458

SHA256
5e1799dcf2c2b14bd7a9471ebdc2ce293a1104036bcce30fddc0be2198c7cc54

SHA512
f0ffbe3b2a78f1a34cb0da2ea617d8b83f86348f71b827bbd41ba44e543f69ea8963ca72926b4eaf46c7d394e9623159140a702335159c705df7d51c1ceacc62

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
994KB

MD5
a6e5b08eb7418c10b365b7a9dc3c7de3

SHA1
4ef29aa1be128173f3568eb3078c8ab34dda7458

SHA256
5e1799dcf2c2b14bd7a9471ebdc2ce293a1104036bcce30fddc0be2198c7cc54

SHA512
f0ffbe3b2a78f1a34cb0da2ea617d8b83f86348f71b827bbd41ba44e543f69ea8963ca72926b4eaf46c7d394e9623159140a702335159c705df7d51c1ceacc62

Download Submit
memory/288-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/288-150-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/288-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/288-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/288-156-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3612-155-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3612-141-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4760-134-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4760-140-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download